ZBF VPN Good Config

After reading some info on Julio's website, I have come to think my VPN configs are a bit too fat and not very streamline. My configs are starting to hammer CPU on the routers now, especially as the remote offices are now starting to use VDSL speeds. What are you thoughts?

Sorry for the late reply. I

Sorry for the late reply. I have not been getting any email notifications since the new support website was launched.

If that is all the ZBF config you have it is not much configured...relitively speaking. So that leads me to beleive that if you are experiencing performance issues it could be related to the amount of traffic that is traversing the 887 router, and its ability to handle that traffic.

You do have some redundant config in there but that should not affect performance in any significant way...just to point out an example:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

This could have been done using just the ccp-cls-icmp-access class map. But as I said it should not affect performance.

Have you checked memory usage on the router and not just the CPU?

How many users are connecting through the router on a daily basis?

It could very well be that the amount of traffic passing through the router is becoming more than it can handle, and an upgrade to a more robust router is needed.

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more